A Python-based malware family known as VVS stealer has been observed using advanced obfuscation and stealth techniques to target Discord users and extract sensitive data.
The malware, also styled as VVS $tealer, was previously marketed for sale on Telegram and appears to have been in active development from at least April 2025.
According to a new advisory published last week by Palo Alto Networks, the stealer is written in Python and distributed as a PyInstaller package, allowing it to run on victim systems without additional dependencies.
Its code is protected using Pyarmor, a legitimate tool that can also be abused to hinder static analysis and signature-based detection.
How the Malware Operates
The analysis shows that VVS stealer is designed primarily to harvest Discord-related data, while also targeting information stored in web browsers.
Once installed, it establishes persistence by copying itself into the Windows startup folder and attempts to remain unnoticed by displaying fake error messages.
Its advertised and observed capabilities include:
-
Stealing Discord tokens and account information
-
Injecting malicious JavaScript into the Discord application to hijack active sessions
-
Extracting browser data such as cookies, passwords, history and autofill entries
Obfuscation, Decryption and Exfiltration
Palo Alto Networks found that Pyarmor was used in BCC mode, converting Python functions into compiled C code stored in a separate ELF file. The protected bytecode and strings were encrypted using AES-128-CTR, with keys and nonces tied to a specific Pyarmor license.
By reversing these layers, analysts were able to reconstruct large portions of the original Python logic and observe how encrypted payloads and strings were processed.
Once Discord tokens are decrypted, the malware queries multiple Discord API endpoints to collect user details, including account settings, billing information and friends lists. This data is then exfiltrated via HTTP POST requests to Discord webhooks, a mechanism that does not require authentication.
The stealer also targets a wide range of Chromium-based and Firefox browsers, compressing stolen data into a single ZIP archive before exfiltration. The malware sample analyzed is configured to stop functioning after October 31 2026.
“VVS stealer demonstrates how tools like Pyarmor, which can be used for legitimate purposes, can also be leveraged to build stealthy malware aimed at hijacking credentials for popular platforms such as Discord,” Palo Alto Networks wrote.
“Its emergence signals a need for defenders to strengthen monitoring around credential theft and account abuse.”
Image credit: Sergei Elagin / Shutterstock.com